FreeBSD/alpha 4.6-RELEASE Release Notes The FreeBSD Project Copyright (c) 2000, 2001, 2002 by The FreeBSD Documentation Project $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.22.2.249 2002/06/02 16:35:29 bmah Exp $ The release notes for FreeBSD 4.6-RELEASE contain a summary of the changes made in the FreeBSD base system since 4.5-RELEASE. Both changes for kernel and userland are listed, as well as applicable security advisories for the base system that were issued since the last release. Some brief remarks on upgrading are also presented. ---------------------------------------------------------------------- Table of Contents 1 Introduction 2 What's New 2.1 Kernel Changes 2.1.1 Processor/Motherboard Support 2.1.2 Boot Loaders 2.1.3 Network Interface Support 2.1.4 Network Protocols 2.1.5 Disks and Storage 2.1.6 Filesystems 2.1.7 PCCARD Support 2.1.8 Multimedia Support 2.1.9 Contributed Software 2.2 Security Advisories 2.3 Userland Changes 2.3.1 Contributed Software 2.3.2 Ports/Packages Collection 2.4 Release Engineering and Integration 3 Upgrading from previous releases of FreeBSD ---------------------------------------------------------------------- 1 Introduction This document contains the release notes for FreeBSD 4.6-RELEASE on the Alpha/AXP hardware platform. It describes new features of FreeBSD that have been added (or changed) since 4.5-RELEASE. It also provides some notes on upgrading from previous versions of FreeBSD. This distribution of FreeBSD 4.6-RELEASE is a release distribution. It can be found at ftp://ftp.FreeBSD.org/pub/FreeBSD/releases or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the ``Obtaining FreeBSD'' appendix in the FreeBSD Handbook. ---------------------------------------------------------------------- 2 What's New This section describes the most user-visible new or changed features in FreeBSD since 4.5-RELEASE. Typical release note items document new drivers or hardware support, new commands or options, major bugfixes, or contributed software upgrades. Security advisories for the base system that were issued after 4.5-RELEASE are also listed. ---------------------------------------------------------------------- 2.1 Kernel Changes The kernel dump device can now be set via the dumpdev loader tunable. As a result, it is now possible to obtain crash dumps from panics during the late stages of kernel initialization (before the system enters into single-user mode). The snp(4) device is no longer static and can now be compiled as a module. ---------------------------------------------------------------------- 2.1.1 Processor/Motherboard Support ---------------------------------------------------------------------- 2.1.2 Boot Loaders ---------------------------------------------------------------------- 2.1.3 Network Interface Support The an(4) driver now supports Cisco LEAP, as well as the ``Home'' WEP key. The Linux Aironet utilities are now supported under emulation. The dc(4) driver now has support for VLANs. The fpa(4) driver now works on Alpha machines. The my driver, which supports the Myson Fast Ethernet and Gigabit Ethernet adapters, has been added. The wi(4) driver now has support for Prism II and Prism 2.5-based NICs. 104/128-bit WEP now works on Prism cards. The wi(4) driver now supports using a FreeBSD host as a wireless access point. This functionality can be enabled using the mediaopt hostap option of ifconfig(8). This feature requires a wireless adapter based on the Prism II chipset. The wi(4) driver now has support for bsd-airtools. The xe driver can now be built as a module. Selected network drivers now implement a semi-polling mode, which makes systems much more resilient to attacks and overloads. To enable polling, the following options are required in a kernel configuration file: options DEVICE_POLLING options HZ=1000 # not compulsory but strongly recommended The kern.polling.enable sysctl variable will then activate polling mode; with the kern.polling.user_frac sysctl indicating the percentage of CPU time to be reserved for userland. The devices initially supporting polling are dc(4), fxp(4), rl(4), and sis(4). More details can be found in the polling(4) manual page. ---------------------------------------------------------------------- 2.1.4 Network Protocols bridge(4) now has better support for multiple, fully-independent bridging clusters, and is much more stable in the presence of dynamic attachments and detatchments. Full support for VLANs is also supported. A bug in the IPsec processing for IPv4, which caused the inbound SPD checks to be ignored, has been fixed. A new ng_eiface netgraph module has been added, which appears as an Ethernet interface but delivers its Ethernet frames to a Netgraph hook. A new ng_etf(4) netgraph node allows Ethernet type packets to be filtered to different hooks depending on ethertype. The tcp(4) syncache implementation had a bug that could cause kernel panics; this has been fixed. The TCP implementation now properly ignores packets addressed to IP-layer broadcast addresses. ---------------------------------------------------------------------- 2.1.5 Disks and Storage The ahc(4) driver was synchronized with the version from FreeBSD -CURRENT as of 29 April 2002. The ata(4) driver was synchronized with the driver from FreeBSD -CURRENT as of 18 March 2002. Important: Some users have experienced problems during testing with ATA tagged queueing. Typical symptoms are read timeouts at boot time leading to a failure to mount the root filesystem. These problems have only appeared on systems having disks supporting tagged queueing attached to motherboard ATA controllers. As this feature is only supported by certain ATA hard disks, and must be enabled explicitly (by setting hw.ata.tags="1" in /boot/loader.conf), this should not pose a problem for a majority of users. The ata(4) driver now has support for creating, deleting, querying, and rebuilding ATA RAIDs under control of atacontrol(8). ---------------------------------------------------------------------- 2.1.6 Filesystems A bug was been fixed in soft updates that could cause occasional filesystem corruption if the system is shut down immediately after performing heavy filesystem activities, such as installing a new kernel or other software. ---------------------------------------------------------------------- 2.1.7 PCCARD Support ---------------------------------------------------------------------- 2.1.8 Multimedia Support ---------------------------------------------------------------------- 2.1.9 Contributed Software 2.1.9.1 IPFilter IPFilter has been updated to 3.4.27. ---------------------------------------------------------------------- 2.2 Security Advisories An ``off-by-one'' bug has been fixed in OpenSSH's multiplexing code. This bug could have allowed an authenticated remote user to cause sshd(8) to execute arbitrary code with superuser privileges, or allowed a malicious SSH server to execute arbitrary code on the client system with the privileges of the client user. (See security advisory FreeBSD-SA-02:13.) A programming error in zlib could result in attempts to free memory multiple times. The malloc(3)/free(3) routines used in FreeBSD are not vulnerable to this error, but applications receiving specially-crafted blocks of invalid compressed data could be made to function incorrectly or abort. This zlib bug has been fixed. For a workaround and solutions, see security advisory FreeBSD-SA-02:18. Bugs in the TCP SYN cache (``syncache'') and SYN cookie (``syncookie'') implementations, which could cause legitimate TCP/IP traffic to crash a machine, have been fixed. For a workaround and patches, see security advisory FreeBSD-SA-02:20. A routing table memory leak, which could allow a remote attacker to exhaust the memory of a target machine, has been fixed. A workaround and patches can be found in security advisory FreeBSD-SA-02:21. A bug with memory-mapped I/O, which could cause a system crash, has been fixed. For more information about a solution, see security advisory FreeBSD-SA-02:22. A security hole, in which SUID programs could be made to read from or write to inappropriate files through manipulation of their standard I/O file descriptors, has been fixed. Information regarding a solution can be found in security advisory FreeBSD-SA-02:23. Some unexpected behavior could be allowed with k5su(8) because it does not require that an invoking user be a member of the wheel group when attempting to become the superuser (this is the case with su(1)). To avoid this situation, k5su(8) is now installed non-SUID by default (effectively disabling it). More information can be found in security advisory FreeBSD-SA-02:24. Multiple vulnerabilities were found in the bzip2(1) utility, which could allow files to be overwritten without warning or allow local users unintended access to files. These problems have been corrected with a new import of bzip2. For more information, see security advisory FreeBSD-SA-02:25. A bug has been fixed in the implementation of the TCP SYN cache (``syncache''), which could allow a remote attacker to deny access to a service when accept filters (see accept_filter(9)) were in use. This bug has been fixed; for more information, see security advisory FreeBSD-SA-02:26. Due to a bug in rc(8)'s use of shell globbing, users may be able to remove the contents of arbitrary files if /tmp/.X11-unix does not exist and the system can be made to reboot. This bug has been corrected (see security advisory FreeBSD-SA-02:27). ---------------------------------------------------------------------- 2.3 Userland Changes atacontrol(8) has been added to control various aspects of the ata(4) driver. On ATAPI CDROM drives, cdcontrol(1) now supports a speed command to set the maximum speed to be used by the drive. ctags(1) no longer creates a corrupt tags file if the source file used // (C++-style) comments. dump(8) now supplies progress information in its process title, useful for monitoring automated backups. /etc/rc.firewall and /etc/rc.firewall6 will no longer add their own hardcoded rules in the cases of a rules file in the firewall_type variable or a non-existent firewall type. (The motivation for this change is to avoid acting on assumptions about a site's firewall policies.) In addition, the closed firewall type now works as documented in the rc.firewall(8) manual page. The functionality of /etc/security has been been moved into a set of scripts under the periodic(8) framework, to make local customization easier and more maintainable. These scripts now reside in /etc/periodic/security/. The ether address family of ifconfig(8) has been changed to a more generic link family (ether is still accepted for backwards compatability). fsdb(8) now supports a blocks command to list the blocks allocated by a particular inode. ispppcontrol(8) has been deleted, and its functionality has been folded into spppcontrol(8). k5su(8) is no longer installed SUID root by default. Users requiring this feature can either manually change the permissions on the k5su(8) executable or add ENABLE_SUID_K5SU=yes to /etc/make.conf before a source upgrade. ldd(1) can now be used on shared libraries, in addition to executables. last(1) now supports a -y flag, which causes the year to be included in the session start time. libstand now has support for loading large kernels and modules split across several physical media. libusb has been renamed as libusbhid, following NetBSD's naming conventions. lpd(8) now recognizes the -s flag as the preferred synonym for -p (these flags cause lpd(8) not to open a socket for network print jobs). lpd(8) now implements a new rc printcap option. When specified in a print queue for a remote host, boolean option causes lpd(8) to resend the data file for each copy the user requested via lpr -#n. ls(1) now accepts a -h flag, which when combined with the -l flag, causes file sizes to be printed with unit suffixes, such that the number of digits printed is fewer than four. m4(1) now accepts a -s flag to cause it to emit #line directives for use by cpp(1). mergemaster(8) now supports two new flags. The -p flag enables a ``pre-buildworld'' mode to compare files known to be essential to the success of the buildworld and installworld system updating steps. The -C flag, used after a successful mergemaster(8) run, compares options in /etc/rc.conf to the default options in /etc/defaults/rc.conf. ngctl(8) now supports a write command to send a data packet down a given hook. patch(1) now accepts a -i command-line flag to read a patch from a file, rather than standard input. A pam_ssh(8) module has been added to allow the use of SSH passphrases and keypairs for authentication. This module also handles session management by invoking ssh-agent(1). pr(1) now supports the -f and -p flags to pause output going to a terminal. The -W option to ps(1) (to extract information from a specified swap device) has been useless for some time; it has been removed. reboot(8) now takes a -k to specify the next kernel to boot. sshd(8) no longer emits fake S/Key challenges for users who do not have S/Key enabled. The prior behavior created confusing, useless one-time-password prompts when using some newer SSH clients to connect to a FreeBSD system. sysinstall(8) now has rudimentary support for retrieving packages from the correct volume of a multiple-volume installation (such as a multi-CD distribution). tftp(1) and tftpd(8) now support IPv6. The usbhidctl(1) utility has been added to manipulate USB Human Interface Devices. uuencode(1) and uudecode(1) now accept a -o option to set their output files. uuencode(1) can now be made to do base64 encoding when given the -m flag, while uudecode(1) can now automatically decode base64 files. watch(8) now takes a -f option to specify a snp(4) device to use. Locales with names of the form *.EUC have been renamed to the form *.euc??. For example, ja_JP.EUC has become ja_JP.eucJP. This improves locale name compatability with FreeBSD CURRENT, X11R6, and a number of other UNIX versions. The locale support was synchronized with the code from FreeBSD -CURRENT. This change brings support for the LC_NUMERIC, LC_MONETARY, and LC_MESSAGES categories, as well as improvements to strftime(3), revised locale definitions, and improvement of the localization of many base system programs. ---------------------------------------------------------------------- 2.3.1 Contributed Software BIND has been updated to 8.3.2-T1B. bzip2 has been updated to 1.0.2. Heimdal Kerberos has been updated to 0.4e. The ISC DHCP client has been updated to 3.0.1RC8. texinfo has been updated to 4.1. The timezone database has been updated to the tzdata2002c release. ---------------------------------------------------------------------- 2.3.1.1 Sendmail sendmail has been updated to 8.12.3. sendmail(8) is no longer installed as a set-user-ID root binary (now set-group-ID smmsp). See /usr/src/contrib/sendmail/RELEASE_NOTES and /etc/mail/README for more information. With this sendmail upgrade, multiple sendmail daemons (some required to handle outgoing mail) are started by rc(8), even if the sendmail_enable variable is set to NO. To completely disable sendmail, sendmail_enable must be set to NONE. Alternatively, for systems using a different MTA, the mta_start_script variable can be used to point to a different startup script (more details can be found in rc.sendmail(8)). The permissions for sendmail alias and map databases built via /etc/mail/Makefile now default to mode 0640 to protect against a file locking local denial of service. It can be changed by setting the new SENDMAIL_MAP_PERMS make.conf option. The permissions for the sendmail statistics file, /var/log/sendmail.st, have been changed from mode 0644 to mode 0640 to protect against a file locking local denial of service. ---------------------------------------------------------------------- 2.3.2 Ports/Packages Collection The Ports Collection infrastructure now uses XFree86 4.2.0 as the default version of the X Window System for the purposes of satisfying dependencies. To return to using XFree86 3.3.6, add the following line to /etc/make.conf: XFREE86_VERSION=3 ---------------------------------------------------------------------- 2.4 Release Engineering and Integration XFree86 4.2.0 is now the default version of the X Window System supported by sysinstall(8). It installs XFree86 as a set of standard binary packages, so the usual package utilities such as pkg_info(1) can be used to examine/manipulate its components. ---------------------------------------------------------------------- 3 Upgrading from previous releases of FreeBSD If you're upgrading from a previous release of FreeBSD, you generally will have three options: * Using the binary upgrade option of sysinstall(8). This option is perhaps the quickest, although it presumes that your installation of FreeBSD uses no special compilation options. * Performing a complete reinstall of FreeBSD. Technically, this is not an upgrading method, and in any case is usually less convenient than a binary upgrade, in that it requires you to manually backup and restore the contents of /etc. However, it may be useful in cases where you want (or need) to change the partitioning of your disks. * From source code in /usr/src. This route is more flexible, but requires more disk space, time, and more technical expertise. Upgrading from very old versions of FreeBSD may be problematic; in cases like this, it is usually more effective to perform a binary upgrade or a complete reinstall. Please read the INSTALL.TXT file for more information, preferably before beginning an upgrade. If you are upgrading from source, please be sure to read /usr/src/UPDATING as well. Finally, if you want to use one of various means to track the -STABLE or -CURRENT branches of FreeBSD, please be sure to consult the ``-CURRENT vs. -STABLE'' section of the FreeBSD Handbook. Important: Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files. ---------------------------------------------------------------------- This file, and other release-related documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/releases. For questions about FreeBSD, read the documentation before contacting . For questions about this documentation, e-mail .